LDAP Injection

Overview

Versions 2.3.2 and earlier of ldapauth-fork are affected by an LDAP injection vulnerability. This allows an attacker to inject and run arbitrary LDAP commands via the username parameter.

Recommendation

Update to ldapauth-fork version 2.3.3 or later.

References

• https://github.com/vesse/node-ldapauth-fork/issues/21
• https://github.com/vesse/node-ldapauth-fork/commit/3feea43e243698bcaeffa904a7324f4d96df60e4
• GitHub Advisory